Malware.. kavo, tavo..

rckwll · May 7, 2008

I started having suspicious that the computer have a malware when I saw the message on startup "the memory could not be 'read'", and "tavo.exe" or "kavo.exe" or "2.exe" written in the same windows..
The strange thing is that my "Avast antivirus" haven`t found ANYTHING suspicious in the scans I made, but kapersky online scanner found a lot!

HJT log (AFTER I installed Spybot, and fixed everything in red on secure mode)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:10:38, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\VM_STI.EXE
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Palm\Hotsync.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Usuario\CONFIG~1\Temp\ff.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll
O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE A4 Tech USB PC Camera
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Palm Registration.lnk = C:\Arquivos de programas\Palm\register.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Arquivos de programas\Palm\Hotsync.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O15 - Trusted Zone: http://www.catarinense.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399003} (GbPluginObj Class) - https://imagem.caixa.gov.br/cab/GbPluginCef.cab
O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GBPLUGIN\gbieh.dll
O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll
O20 - Winlogon Notify: __GbPluginBb - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8079 bytes

Kapersky online scanner (scanned BEFORE I installed spybot and corrected some things)
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 06, 2008 10:56:20 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/05/2008
Kaspersky Anti-Virus database records: 742492
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 122152
Number of viruses found: 31
Number of infected objects: 121
Number of suspicious objects: 0
Duration of the scan process: 01:48:56

Infected Object Name / Virus Name / Last Action
C:\0qx0sc6.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\2y8la.exe Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\report\Proteção residente.txt Object is locked skipped
C:\Arquivos de programas\BrainWave Generator\BrainWave.exe Infected: Trojan.Win32.Agent.acw skipped
C:\Arquivos de programas\eMule\Incoming\Absolute.Fretboard.Trainer.3.x.kmaker.zip/Absolute.exe Infected: Trojan.Win32.Agent.acw skipped
C:\Arquivos de programas\eMule\Incoming\Absolute.Fretboard.Trainer.3.x.kmaker.zip ZIP: infected - 1 skipped
C:\c.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\7dyho099.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\7dyho099.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\7dyho099.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\7dyho099.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Histórico\History.IE5\MSHist012008050620080507\index.dat Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\9b2ek.dll Infected: Trojan-PSW.Win32.OnLineGames.acka skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\ac7.dll Infected: Trojan-PSW.Win32.OnLineGames.acka skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\cny8p.dll Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\ff.exe Infected: Trojan-PSW.Win32.OnLineGames.adnp skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\generator.exe Infected: Trojan.Win32.Agent.acw skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\gm2djq.dll Infected: Trojan-PSW.Win32.OnLineGames.aded skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\if.dll Infected: Trojan-PSW.Win32.OnLineGames.abbj skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\mt7w.dll Infected: Trojan-PSW.Win32.OnLineGames.adej skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\tru1.tmp Infected: Trojan-PSW.Win32.OnLineGames.xtt skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\tru2.tmp Infected: Trojan-PSW.Win32.OnLineGames.xtt skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\tru3.tmp Infected: Worm.Win32.AutoRun.dkf skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\tru32.tmp Infected: Trojan-PSW.Win32.OnLineGames.xtt skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\tru33.tmp Infected: Trojan-PSW.Win32.OnLineGames.xtt skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\tru4.tmp Infected: Worm.Win32.AutoRun.dkw skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\tru5.tmp Infected: Trojan-PSW.Win32.OnLineGames.adds skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\tru6.tmp Infected: Trojan-PSW.Win32.OnLineGames.adnp skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\truE5.tmp Infected: Trojan-PSW.Win32.OnLineGames.adds skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\truE7.tmp Infected: Trojan-PSW.Win32.OnLineGames.adds skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\tw4nfj.dll Infected: Trojan-PSW.Win32.OnLineGames.adns skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\un.dll Infected: Trojan-PSW.Win32.OnLineGames.aaxy skipped
C:\Documents and Settings\Usuario\Configurações locais\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Usuario\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Usuario\Dados de aplicativos\Mozilla\Firefox\Profiles\7dyho099.default\cert8.db Object is locked skipped
C:\Documents and Settings\Usuario\Dados de aplicativos\Mozilla\Firefox\Profiles\7dyho099.default\history.dat Object is locked skipped
C:\Documents and Settings\Usuario\Dados de aplicativos\Mozilla\Firefox\Profiles\7dyho099.default\key3.db Object is locked skipped
C:\Documents and Settings\Usuario\Dados de aplicativos\Mozilla\Firefox\Profiles\7dyho099.default\parent.lock Object is locked skipped
C:\Documents and Settings\Usuario\Dados de aplicativos\Mozilla\Firefox\Profiles\7dyho099.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Usuario\Dados de aplicativos\Mozilla\Firefox\Profiles\7dyho099.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Usuario\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Usuario\ntuser.dat.LOG Object is locked skipped
C:\lgcadwx.bat Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071696.dll Infected: Trojan-PSW.Win32.OnLineGames.aazm skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071698.inf Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071815.dll Infected: Trojan-PSW.Win32.OnLineGames.aaxw skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071816.dll Infected: Trojan-PSW.Win32.OnLineGames.acwh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071818.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071826.exe Infected: Trojan-PSW.Win32.OnLineGames.aayb skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071831.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071873.dll Infected: Trojan-PSW.Win32.OnLineGames.aaxw skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071875.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071883.exe Infected: Trojan-PSW.Win32.OnLineGames.aayb skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071925.dll Infected: Trojan-PSW.Win32.OnLineGames.aaxw skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071927.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071943.dll Infected: Trojan-PSW.Win32.OnLineGames.aaxw skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071944.dll Infected: Trojan-PSW.Win32.OnLineGames.acwh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071946.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071954.exe Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072008.dll Infected: Trojan-PSW.Win32.OnLineGames.acwh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072010.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072011.inf Infected: Trojan-PSW.Win32.OnLineGames.abes skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083814.exe Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083815.dll Infected: Trojan-PSW.Win32.OnLineGames.aaxw skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083816.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083823.exe Infected: Trojan-PSW.Win32.OnLineGames.aayb skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083824.dll Infected: Trojan-PSW.Win32.OnLineGames.acwh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083835.dll Infected: Trojan-PSW.Win32.OnLineGames.adeb skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083838.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083846.exe Infected: Trojan-PSW.Win32.OnLineGames.adec skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083847.dll Infected: Trojan-PSW.Win32.OnLineGames.abal skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083859.dll Infected: Trojan-PSW.Win32.OnLineGames.adeh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083862.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083870.exe Infected: Trojan-PSW.Win32.OnLineGames.adec skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083871.dll Infected: Trojan-PSW.Win32.OnLineGames.adeb skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083914.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083932.dll Infected: Trojan-PSW.Win32.OnLineGames.adeh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083935.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083958.dll Infected: Trojan-PSW.Win32.OnLineGames.adnr skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083959.dll Infected: Trojan-PSW.Win32.OnLineGames.adeh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083962.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\kavo.exe Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\WINDOWS\system32\kavo0.dll Infected: Trojan-PSW.Win32.OnLineGames.adeh skipped
C:\WINDOWS\system32\kavo1.dll Infected: Trojan-PSW.Win32.OnLineGames.adeh skipped
C:\WINDOWS\system32\tavo.exe Infected: Trojan.Win32.Vaklik.agh skipped
C:\WINDOWS\system32\tavo0.dll Infected: Trojan-PSW.Win32.OnLineGames.adnr skipped
C:\WINDOWS\system32\tavo1.dll Infected: Trojan-PSW.Win32.OnLineGames.adnr skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5f0.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\0qx0sc6.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
E:\2y8la.exe Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\c.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\lgcadwx.bat Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071699.inf Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071820.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071833.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071877.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071929.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071948.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072012.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072013.inf Infected: Trojan-PSW.Win32.OnLineGames.abes skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083818.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083840.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083864.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083916.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083937.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083964.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\change.log Object is locked skipped
F:\lgcadwx.bat Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
F:\c.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{CF3380D7-62D1-4B19-96F4-B29436459BC0}\RP300\A0054954.dll Infected: not-a-virus:AdWare.Win32.WinAD.am skipped
F:\System Volume Information\_restore{CF3380D7-62D1-4B19-96F4-B29436459BC0}\RP300\A0054955.exe/ci-temp0.cab/Sp0.exe Infected: Trojan-Spy.Win32.Outside.12 skipped
F:\System Volume Information\_restore{CF3380D7-62D1-4B19-96F4-B29436459BC0}\RP300\A0054955.exe/ci-temp0.cab Infected: Trojan-Spy.Win32.Outside.12 skipped
F:\System Volume Information\_restore{CF3380D7-62D1-4B19-96F4-B29436459BC0}\RP300\A0054955.exe CreateInstall: infected - 2 skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071700.inf Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071822.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071835.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071879.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071931.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071950.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072014.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072015.inf Infected: Trojan-PSW.Win32.OnLineGames.abes skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP527\A0073108.exe Infected: Trojan-Spy.Win32.Outside.12 skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083820.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083842.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083866.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083918.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083939.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\change.log Object is locked skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083966.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
F:\2y8la.exe Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\0qx0sc6.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
F:\ProgrAmAs\vnc-4.0-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
F:\ProgrAmAs\vnc-4.0-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
F:\ProgrAmAs\vnc-4.0-x86_win32.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
F:\ProgrAmAs\vnc-4.0-x86_win32.exe Inno: infected - 3 skipped
F:\mirc6\miRC 6\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
F:\mirc6\outd\mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.59 skipped
F:\mirc6\outd\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
F:\mirc6\outd.zip/mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.59 skipped
F:\mirc6\outd.zip ZIP: infected - 1 skipped

Scan process completed.

Thank´s for the future help I`m sure I`m gonna get (as I had once before

)

Blade81 · May 7, 2008

Hi

If you've used pen drive or other USB storage with this infected system I recommend you reformat it now. This infection infects USB storage and if the device is plugged in some other system it gets infected too.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

rckwll · May 8, 2008

The Combofix go until the message "Combofix has changed your clock seetings. Do not change it back. It shall be restored later".
Then the pc immediatelly restarts.. if I try the combofix again, the same thing happens. (tried 2 times)

Blade81 · May 8, 2008

Hi

Could you try running ComboFix in safe mode?

rckwll · May 8, 2008

Of course, safe mode, I should have think of it before

I`m sorry about the language, I think combofix detected my OS language..

THank`s for the help

ComboFix 08-05-01.3 - Usuario 2008-05-08 19:23:03.1 - NTFSx86 MINIMAL
Executando de: C:\Documents and Settings\Usuario\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\kavo1.dll
C:\WINDOWS\system32\tavo.exe
C:\WINDOWS\system32\tavo0.dll
C:\WINDOWS\system32\tavo1.dll

.
((((((((((((((((((((((( Ficheiros criados de 2008-04-08 to 2008-05-08 ))))))))))))))))))))))))))))))))
.

2008-05-08 18:19 . 2008-05-08 18:19 116,572 -r-hs---- C:\j.cmd
2008-05-08 18:19 . 2008-05-08 18:19 110,947 --a------ C:\WINDOWS\tt.exe
2008-05-07 11:22 . 2008-05-07 22:54 116,300 -r-hs---- C:\6g3.com
2008-05-06 23:02 . 2008-05-06 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy
2008-05-06 23:02 . 2008-05-06 23:02 <DIR> d-------- C:\Arquivos de programas\Spybot - Search & Destroy
2008-05-06 12:23 . 2008-05-06 12:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-06 12:23 . 2008-05-06 12:23 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab
2008-05-04 19:43 . 2008-05-07 00:09 118,115 -r-hs---- C:\0qx0sc6.bat
2008-05-02 14:29 . 2008-05-02 14:29 69,008 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-18 13:14 . 2008-04-15 21:34 117,642 -r-hs---- C:\2y8la.exe
2008-04-16 11:12 . 2008-04-15 21:34 117,642 -r-hs---- C:\c.com
2008-04-15 21:33 . 2008-04-08 06:57 117,683 -r-hs---- C:\lgcadwx.bat

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 01:46 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin
2008-05-06 17:04 --------- d-----w C:\Documents and Settings\Usuario\Dados de aplicativos\Skype
2008-05-04 15:31 --------- d-----w C:\Arquivos de programas\eMule
2008-05-03 23:12 --------- d-----w C:\Documents and Settings\Usuario\Dados de aplicativos\uTorrent
2008-05-03 17:03 --------- d-----w C:\Arquivos de programas\GbPlugin
2008-05-02 17:28 --------- d-----w C:\Arquivos de programas\Picasa2
2008-04-21 23:46 --------- d-----w C:\Arquivos de programas\Steam
2008-04-21 18:46 --------- d-----w C:\Arquivos de programas\Miranda IM
2008-04-18 17:03 --------- d-----w C:\Arquivos de programas\ScanSpyware v3.8.0.4
2008-04-15 23:40 --------- d-----w C:\Arquivos de programas\Java
2008-04-06 01:36 --------- d-----w C:\Arquivos de programas\Palm
2008-03-30 20:26 --------- d-----w C:\Arquivos de programas\MSN Messenger
2008-03-20 23:27 --------- d-----w C:\Arquivos de programas\Windows Live
2008-03-20 23:26 --------- dcsh--w C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller
2008-03-20 23:26 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\WLInstaller
2008-03-16 21:23 --------- d-----w C:\Arquivos de programas\Mobipocket.com
2008-03-16 21:23 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Mobipocket Shared
2008-02-28 02:44 98,304 ----a-w C:\WINDOWS\DUMP75db.tmp
2008-02-24 20:10 53,248 ----a-w C:\WINDOWS\PalmDevC.dll
2007-02-20 16:30 11,720 ----a-w C:\Arquivos de programas\uninstal.log
2002-12-11 17:17 13,366,265 --s-a-w C:\Arquivos de programas\Encore Manual.pdf
2004-08-04 03:45 73,728 -csha-w C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Arquivos de programas\DAEMON Tools\daemon.exe" [2006-11-12 07:48 157592]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-06-14 07:36 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2004-02-24 16:00 49152]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 15:37 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]
"Picasa Media Detector"="C:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe" [2007-10-23 18:18 443968]

C:\Documents and Settings\Usuario\Menu Iniciar\Programas\Inicializar\
Palm Registration.lnk - C:\Arquivos de programas\Palm\register.exe [2005-08-08 12:36:14 2494464]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
HOTSYNCSHORTCUTNAME.lnk - C:\Arquivos de programas\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= C:\Arquivos de programas\GbPlugin\gbiehcef.dll [2008-03-26 11:24 357952]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GBPLUGIN\gbieh.dll [2008-04-15 09:37 378696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
C:\ARQUIV~1\GBPLUGIN\gbieh.dll 2008-04-15 09:37 378696 C:\ARQUIV~1\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]
C:\Arquivos de programas\GbPlugin\gbiehcef.dll 2008-03-26 11:24 357952 C:\Arquivos de programas\GbPlugin\gbiehcef.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__GbPluginBb]
C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll 2008-04-15 09:37 378696 C:\Arquivos de programas\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:45 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kava]
C:\WINDOWS\system32\kavo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 09:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 11:22 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tava]
C:\WINDOWS\system32\tavo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Arquivos de programas\\Rockstar Games\\Midnight Club II\\mc2.exe"=
"C:\\Arquivos de programas\\eMule\\emule.exe"=
"C:\\Arquivos de programas\\CounterPath\\X-Lite\\x-lite.exe"=
"C:\\Doomsday\\Bin\\Doomsday.exe"=
"C:\\Program Files\\Neoact\\Carom3D\\update.exe"=
"C:\\downloads\\utorrent.exe"=
"C:\\Arquivos de programas\\Miranda IM\\miranda32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=
"C:\\Arquivos de programas\\X-Lite\\X-Lite.exe"=
"C:\\Arquivos de programas\\Steam\\steamapps\\vagnerlevy\\day of defeat\\hl.exe"=
"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23850:TCP"= 23850:TCP:*

isabled:BitComet 23850 TCP
"23850:UDP"= 23850:UDP:*

isabled:BitComet 23850 UDP
"16107:TCP"= 16107:TCP:*

isabled:BitComet 16107 TCP
"16107:UDP"= 16107:UDP:*

isabled:BitComet 16107 UDP
"17822:TCP"= 17822:TCP:*

isabled:BitComet 17822 TCP
"17822:UDP"= 17822:UDP:*

isabled:BitComet 17822 UDP
"9023:TCP"= 9023:TCP:*

isabled:BitComet 9023 TCP
"9023:UDP"= 9023:UDP:*

isabled:BitComet 9023 UDP
"11183:TCP"= 11183:TCP:*

isabled:BitComet 11183 TCP
"11183:UDP"= 11183:UDP:*

isabled:BitComet 11183 UDP
"23906:TCP"= 23906:TCP:*

isabled:BitComet 23906 TCP
"23906:UDP"= 23906:UDP:*

isabled:BitComet 23906 UDP
"23580:TCP"= 23580:TCP:*

isabled:BitComet 23580 TCP
"23580:UDP"= 23580:UDP:*

isabled:BitComet 23580 UDP
"43554:TCP"= 43554:TCP:43554
"43554:UDP"= 43554:UDP:43554

S0 d344bus;d344bus;C:\WINDOWS\system32\DRIVERS\d344bus.sys [2003-12-27 19:42]
S0 d344prt;d344prt;C:\WINDOWS\system32\Drivers\d344prt.sys [2003-12-27 01:38]
S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 15:31]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 15:35]
S3 PciCon;PciCon;D:\PciCon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ae48ed8-6578-11dc-9578-0015f2431e4d}]
\Shell\AutoRun\command - H:\c.com
\Shell\explore\Command - H:\c.com
\Shell\open\Command - H:\c.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72efd1df-81d5-11da-86f6-0013d47ef696}]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96433632-5e39-11dc-956b-0015f2431e4d}]
\Shell\AutoRun\command - c.com
\Shell\explore\Command - c.com
\Shell\open\Command - c.com

*Newly Created Service* - CATCHME
.
Conteúdo da pasta 'Tarefas Agendadas'
"2008-05-08 22:11:58 C:\WINDOWS\Tasks\Verificar Atualizações para a Barra de Ferramentas do Windows Live.job"
- C:\Arquivos de programas\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-08 19:26:27
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Tempo para conclusão: 2008-05-08 19:30:52
ComboFix-quarantined-files.txt 2008-05-08 22:29:49

Pre-Run: 3,836,628,992 bytes disponíveis
Post-Run: 4,015,321,088 bytes disponíveis

174 --- E O F --- 2008-02-27 01:50:10

Fresh HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:35:35, on 8/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\VM_STI.EXE
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll
O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE A4 Tech USB PC Camera
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Palm Registration.lnk = C:\Arquivos de programas\Palm\register.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Arquivos de programas\Palm\Hotsync.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O15 - Trusted Zone: http://www.catarinense.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399003} (GbPluginObj Class) - https://imagem.caixa.gov.br/cab/GbPluginCef.cab
O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GBPLUGIN\gbieh.dll
O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll
O20 - Winlogon Notify: __GbPluginBb - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 7578 bytes

Blade81 · May 9, 2008

Hi

Start hjt, do a system scan, check:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Close browsers and other windows. Click fix checked.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\j.cmd
C:\WINDOWS\tt.exe
C:\6g3.com
C:\0qx0sc6.bat
C:\2y8la.exe
C:\c.com
C:\lgcadwx.bat
H:\c.com

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kava]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tava]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ae48ed8-6578-11dc-9578-0015f2431e4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72efd1df-81d5-11da-86f6-0013d47ef696}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96433632-5e39-11dc-956b-0015f2431e4d}]

Save this as
CFScript

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Run Kaspersky online scanner and post back its report & a fresh hjt log (without forgetting above meantioned ComboFix resultant log).

rckwll · May 9, 2008

One thing I should tell, I only had the opportunity to format my mp3 player by now, So I plugged in to format today, I don`t know if it made difference...

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 09, 2008 6:02:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/05/2008
Kaspersky Anti-Virus database records: 749864
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
I:\

Scan Statistics:
Total number of scanned objects: 119737
Number of viruses found: 26
Number of infected objects: 176
Number of suspicious objects: 0
Duration of the scan process: 01:52:18

Infected Object Name / Virus Name / Last Action
C:\Arquivos de programas\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\log\aswAr.log Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\report\Proteção residente.txt Object is locked skipped
C:\Arquivos de programas\BrainWave Generator\BrainWave.exe Infected: Trojan.Win32.Agent.acw skipped
C:\Arquivos de programas\eMule\Incoming\Absolute.Fretboard.Trainer.3.x.kmaker.zip/Absolute.exe Infected: Trojan.Win32.Agent.acw skipped
C:\Arquivos de programas\eMule\Incoming\Absolute.Fretboard.Trainer.3.x.kmaker.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Microsoft\Messenger\mauriciolevy@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Microsoft\Messenger\mauriciolevy@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Microsoft\Messenger\mauriciolevy@hotmail.com\SharingMetadata\Working\database_BCAC_856C_AC85_21CE\dfsr.db Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Microsoft\Messenger\mauriciolevy@hotmail.com\SharingMetadata\Working\database_BCAC_856C_AC85_21CE\fsr.log Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Microsoft\Messenger\mauriciolevy@hotmail.com\SharingMetadata\Working\database_BCAC_856C_AC85_21CE\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Microsoft\Messenger\mauriciolevy@hotmail.com\SharingMetadata\Working\database_BCAC_856C_AC85_21CE\tmp.edb Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Microsoft\Windows Live Contacts\mauriciolevy@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Microsoft\Windows Live Contacts\mauriciolevy@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\~DF1103.tmp Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\~DF1115.tmp Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Usuario\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Usuario\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Usuario\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\0qx0sc6.bat.vir Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\QooBox\Quarantine\C\2y8la.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\QooBox\Quarantine\C\6g3.com.vir Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
C:\QooBox\Quarantine\C\c.com.vir Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\QooBox\Quarantine\C\j.cmd.vir Infected: Trojan-PSW.Win32.OnLineGames.aecv skipped
C:\QooBox\Quarantine\C\lgcadwx.bat.vir Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kavo.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.aecv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kavo0.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.aeaf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kavo1.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.aeaf skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071696.dll Infected: Trojan-PSW.Win32.OnLineGames.aazm skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071698.inf Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071815.dll Infected: Trojan-PSW.Win32.OnLineGames.aaxw skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071816.dll Infected: Trojan-PSW.Win32.OnLineGames.acwh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071818.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071826.exe Infected: Trojan-PSW.Win32.OnLineGames.aayb skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071831.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071873.dll Infected: Trojan-PSW.Win32.OnLineGames.aaxw skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071875.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071883.exe Infected: Trojan-PSW.Win32.OnLineGames.aayb skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071925.dll Infected: Trojan-PSW.Win32.OnLineGames.aaxw skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071927.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071943.dll Infected: Trojan-PSW.Win32.OnLineGames.aaxw skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071944.dll Infected: Trojan-PSW.Win32.OnLineGames.acwh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071946.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071954.exe Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072008.dll Infected: Trojan-PSW.Win32.OnLineGames.acwh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072010.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072011.inf Infected: Trojan-PSW.Win32.OnLineGames.abes skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083814.exe Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083815.dll Infected: Trojan-PSW.Win32.OnLineGames.aaxw skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083816.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083823.exe Infected: Trojan-PSW.Win32.OnLineGames.aayb skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083824.dll Infected: Trojan-PSW.Win32.OnLineGames.acwh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083835.dll Infected: Trojan-PSW.Win32.OnLineGames.adeb skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083838.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083846.exe Infected: Trojan-PSW.Win32.OnLineGames.adec skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083847.dll Infected: Trojan-PSW.Win32.OnLineGames.abal skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083859.dll Infected: Trojan-PSW.Win32.OnLineGames.adeh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083862.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083870.exe Infected: Trojan-PSW.Win32.OnLineGames.adec skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083871.dll Infected: Trojan-PSW.Win32.OnLineGames.adeb skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083914.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083932.dll Infected: Trojan-PSW.Win32.OnLineGames.adeh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083935.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083958.dll Infected: Trojan-PSW.Win32.OnLineGames.adnr skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083959.dll Infected: Trojan-PSW.Win32.OnLineGames.adeh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083962.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0083979.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084035.dll Infected: Trojan-PSW.Win32.OnLineGames.adeh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084036.dll Infected: Trojan-PSW.Win32.OnLineGames.adnr skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084040.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084045.exe Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084046.dll Infected: Trojan-PSW.Win32.OnLineGames.adeh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084055.dll Infected: Trojan-PSW.Win32.OnLineGames.adnr skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084058.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084065.dll Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084083.dll Infected: Trojan-PSW.Win32.OnLineGames.adnr skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084085.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084094.exe Infected: Trojan.Win32.Vaklik.agh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084095.dll Infected: Trojan-PSW.Win32.OnLineGames.adnr skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP541\A0084103.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0084118.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0085086.dll Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0085090.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0085097.exe Infected: Trojan-PSW.Win32.OnLineGames.adtz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0085099.exe Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0085100.dll Infected: Trojan-PSW.Win32.OnLineGames.aeep skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0085102.com Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0086086.dll Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0086089.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0086101.exe Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0086102.dll Infected: Trojan-PSW.Win32.OnLineGames.aeep skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0086103.exe Infected: Trojan-PSW.Win32.OnLineGames.adtz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0087086.dll Infected: Trojan-PSW.Win32.OnLineGames.aeep skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0087090.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0087098.exe Infected: Trojan-PSW.Win32.OnLineGames.adtz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0087099.dll Infected: Trojan-PSW.Win32.OnLineGames.aeep skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088087.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088107.dll Infected: Trojan-PSW.Win32.OnLineGames.aeep skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088110.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088118.exe Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088119.exe Infected: Trojan-PSW.Win32.OnLineGames.adtz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088121.dll Infected: Trojan-PSW.Win32.OnLineGames.aeep skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088135.cmd Infected: Trojan-PSW.Win32.OnLineGames.aecv skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088181.exe Infected: Trojan-PSW.Win32.OnLineGames.aecv skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088182.dll Infected: Trojan-PSW.Win32.OnLineGames.aeaf skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088183.dll Infected: Trojan-PSW.Win32.OnLineGames.aeaf skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089297.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089298.exe Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089299.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089300.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089301.cmd Infected: Trojan-PSW.Win32.OnLineGames.aecv skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089302.bat Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\WPD\wpdtrace.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_600.dat Object is locked skipped
C:\WINDOWS\TEMP\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\0qx0sc6.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
E:\2y8la.exe Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\6g3.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
E:\c.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\j.cmd Infected: Trojan-PSW.Win32.OnLineGames.aecv skipped
E:\lgcadwx.bat Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071699.inf Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071820.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071833.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071877.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071929.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071948.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072012.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072013.inf Infected: Trojan-PSW.Win32.OnLineGames.abes skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083818.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083840.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083864.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083916.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083937.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083964.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0083981.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084041.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084060.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084087.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP541\A0084105.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0084120.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0085092.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0085103.com Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0086091.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0087092.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088089.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088112.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088137.cmd Infected: Trojan-PSW.Win32.OnLineGames.aecv skipped
F:\lgcadwx.bat Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
F:\c.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{CF3380D7-62D1-4B19-96F4-B29436459BC0}\RP300\A0054954.dll Infected: not-a-virus:AdWare.Win32.WinAD.am skipped
F:\System Volume Information\_restore{CF3380D7-62D1-4B19-96F4-B29436459BC0}\RP300\A0054955.exe/ci-temp0.cab/Sp0.exe Infected: Trojan-Spy.Win32.Outside.12 skipped
F:\System Volume Information\_restore{CF3380D7-62D1-4B19-96F4-B29436459BC0}\RP300\A0054955.exe/ci-temp0.cab Infected: Trojan-Spy.Win32.Outside.12 skipped
F:\System Volume Information\_restore{CF3380D7-62D1-4B19-96F4-B29436459BC0}\RP300\A0054955.exe CreateInstall: infected - 2 skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071700.inf Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071822.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071835.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071879.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071931.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071950.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072014.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072015.inf Infected: Trojan-PSW.Win32.OnLineGames.abes skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP527\A0073108.exe Infected: Trojan-Spy.Win32.Outside.12 skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083820.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083842.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083866.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083918.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083939.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083966.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0083983.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084043.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084062.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084089.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP541\A0084107.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0084122.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0085094.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0085104.com Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0086093.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0087095.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088091.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088114.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088140.cmd Infected: Trojan-PSW.Win32.OnLineGames.aecv skipped
F:\2y8la.exe Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\0qx0sc6.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
F:\ProgrAmAs\vnc-4.0-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
F:\ProgrAmAs\vnc-4.0-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
F:\ProgrAmAs\vnc-4.0-x86_win32.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
F:\ProgrAmAs\vnc-4.0-x86_win32.exe Inno: infected - 3 skipped
F:\6g3.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
F:\j.cmd Infected: Trojan-PSW.Win32.OnLineGames.aecv skipped
F:\mirc6\miRC 6\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
F:\mirc6\outd\mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.59 skipped
F:\mirc6\outd\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
F:\mirc6\outd.zip/mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.59 skipped
F:\mirc6\outd.zip ZIP: infected - 1 skipped

Scan process completed.
---

ComboFix 08-05-01.3 - Usuario 2008-05-09 13:58:56.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.791 [GMT -3:00]
Executando de: C:\Documents and Settings\Usuario\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Usuario\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\0qx0sc6.bat
C:\2y8la.exe
C:\6g3.com
C:\c.com
C:\j.cmd
C:\lgcadwx.bat
C:\WINDOWS\tt.exe
H:\c.com
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\0qx0sc6.bat
C:\2y8la.exe
C:\6g3.com
C:\c.com
C:\j.cmd
C:\lgcadwx.bat
C:\WINDOWS\tt.exe
E:\Autorun.inf
F:\Autorun.inf

.
((((((((((((((((((((((( Ficheiros criados de 2008-04-09 to 2008-05-09 ))))))))))))))))))))))))))))))))
.

2008-05-06 23:02 . 2008-05-06 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy
2008-05-06 23:02 . 2008-05-06 23:02 <DIR> d-------- C:\Arquivos de programas\Spybot - Search & Destroy
2008-05-06 12:23 . 2008-05-06 12:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-06 12:23 . 2008-05-06 12:23 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab
2008-05-02 14:29 . 2008-05-02 14:29 69,008 --ah----- C:\WINDOWS\system32\mlfcache.dat

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 16:55 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin
2008-05-06 17:04 --------- d-----w C:\Documents and Settings\Usuario\Dados de aplicativos\Skype
2008-05-04 15:31 --------- d-----w C:\Arquivos de programas\eMule
2008-05-03 23:12 --------- d-----w C:\Documents and Settings\Usuario\Dados de aplicativos\uTorrent
2008-05-03 17:03 --------- d-----w C:\Arquivos de programas\GbPlugin
2008-05-02 17:28 --------- d-----w C:\Arquivos de programas\Picasa2
2008-04-21 23:46 --------- d-----w C:\Arquivos de programas\Steam
2008-04-21 18:46 --------- d-----w C:\Arquivos de programas\Miranda IM
2008-04-18 17:03 --------- d-----w C:\Arquivos de programas\ScanSpyware v3.8.0.4
2008-04-15 23:40 --------- d-----w C:\Arquivos de programas\Java
2008-04-06 01:36 --------- d-----w C:\Arquivos de programas\Palm
2008-03-30 20:26 --------- d-----w C:\Arquivos de programas\MSN Messenger
2008-03-20 23:27 --------- d-----w C:\Arquivos de programas\Windows Live
2008-03-20 23:26 --------- dcsh--w C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller
2008-03-20 23:26 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\WLInstaller
2008-03-16 21:23 --------- d-----w C:\Arquivos de programas\Mobipocket.com
2008-03-16 21:23 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Mobipocket Shared
2008-02-28 02:44 98,304 ----a-w C:\WINDOWS\DUMP75db.tmp
2008-02-24 20:10 53,248 ----a-w C:\WINDOWS\PalmDevC.dll
2007-02-20 16:30 11,720 ----a-w C:\Arquivos de programas\uninstal.log
2002-12-11 17:17 13,366,265 --s-a-w C:\Arquivos de programas\Encore Manual.pdf
2004-08-04 03:45 73,728 -csha-w C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-08_19.29.40.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-08 22:21:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-09 16:55:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Arquivos de programas\DAEMON Tools\daemon.exe" [2006-11-12 07:48 157592]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-06-14 07:36 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2004-02-24 16:00 49152]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 15:37 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]
"Picasa Media Detector"="C:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe" [2007-10-23 18:18 443968]

C:\Documents and Settings\Usuario\Menu Iniciar\Programas\Inicializar\
Palm Registration.lnk - C:\Arquivos de programas\Palm\register.exe [2005-08-08 12:36:14 2494464]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
HOTSYNCSHORTCUTNAME.lnk - C:\Arquivos de programas\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= C:\Arquivos de programas\GbPlugin\gbiehcef.dll [2008-03-26 11:24 357952]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GBPLUGIN\gbieh.dll [2008-04-15 09:37 378696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
C:\ARQUIV~1\GBPLUGIN\gbieh.dll 2008-04-15 09:37 378696 C:\ARQUIV~1\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]
C:\Arquivos de programas\GbPlugin\gbiehcef.dll 2008-03-26 11:24 357952 C:\Arquivos de programas\GbPlugin\gbiehcef.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__GbPluginBb]
C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll 2008-04-15 09:37 378696 C:\Arquivos de programas\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:45 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 09:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 11:22 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Arquivos de programas\\Rockstar Games\\Midnight Club II\\mc2.exe"=
"C:\\Arquivos de programas\\eMule\\emule.exe"=
"C:\\Arquivos de programas\\CounterPath\\X-Lite\\x-lite.exe"=
"C:\\Doomsday\\Bin\\Doomsday.exe"=
"C:\\Program Files\\Neoact\\Carom3D\\update.exe"=
"C:\\downloads\\utorrent.exe"=
"C:\\Arquivos de programas\\Miranda IM\\miranda32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=
"C:\\Arquivos de programas\\X-Lite\\X-Lite.exe"=
"C:\\Arquivos de programas\\Steam\\steamapps\\vagnerlevy\\day of defeat\\hl.exe"=
"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23850:TCP"= 23850:TCP:*

isabled:BitComet 23850 TCP
"23850:UDP"= 23850:UDP:*

isabled:BitComet 23850 UDP
"16107:TCP"= 16107:TCP:*

isabled:BitComet 16107 TCP
"16107:UDP"= 16107:UDP:*

isabled:BitComet 16107 UDP
"17822:TCP"= 17822:TCP:*

isabled:BitComet 17822 TCP
"17822:UDP"= 17822:UDP:*

isabled:BitComet 17822 UDP
"9023:TCP"= 9023:TCP:*

isabled:BitComet 9023 TCP
"9023:UDP"= 9023:UDP:*

isabled:BitComet 9023 UDP
"11183:TCP"= 11183:TCP:*

isabled:BitComet 11183 TCP
"11183:UDP"= 11183:UDP:*

isabled:BitComet 11183 UDP
"23906:TCP"= 23906:TCP:*

isabled:BitComet 23906 TCP
"23906:UDP"= 23906:UDP:*

isabled:BitComet 23906 UDP
"23580:TCP"= 23580:TCP:*

isabled:BitComet 23580 TCP
"23580:UDP"= 23580:UDP:*

isabled:BitComet 23580 UDP
"43554:TCP"= 43554:TCP:43554
"43554:UDP"= 43554:UDP:43554

S0 d344bus;d344bus;C:\WINDOWS\system32\DRIVERS\d344bus.sys [2003-12-27 19:42]
S0 d344prt;d344prt;C:\WINDOWS\system32\Drivers\d344prt.sys [2003-12-27 01:38]
S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 15:31]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 15:35]
S3 PciCon;PciCon;D:\PciCon.sys []

.
Conteúdo da pasta 'Tarefas Agendadas'
"2008-05-09 16:11:00 C:\WINDOWS\Tasks\Verificar Atualizações para a Barra de Ferramentas do Windows Live.job"
- C:\Arquivos de programas\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 14:01:13
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Tempo para conclusão: 2008-05-09 14:07:09
ComboFix-quarantined-files.txt 2008-05-09 17:06:37
ComboFix2.txt 2008-05-08 22:30:52

Pre-Run: 4,201,005,056 bytes disponíveis
Post-Run: 4,190,900,224 bytes disponíveis

173 --- E O F --- 2008-02-27 01:50:10

--

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:05:54, on 9/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\VM_STI.EXE
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Arquivos de programas\Palm\Hotsync.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll
O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE A4 Tech USB PC Camera
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Palm Registration.lnk = C:\Arquivos de programas\Palm\register.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Arquivos de programas\Palm\Hotsync.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O15 - Trusted Zone: http://www.catarinense.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399003} (GbPluginObj Class) - https://imagem.caixa.gov.br/cab/GbPluginCef.cab
O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GBPLUGIN\gbieh.dll
O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll
O20 - Winlogon Notify: __GbPluginBb - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8123 bytes

Blade81 · May 9, 2008

Hi

There're still some bad items running wild. Let's try to grab them

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
E:\0qx0sc6.bat
E:\2y8la.exe
E:\6g3.com
E:\c.com
E:\j.cmd
E:\lgcadwx.bat
F:\lgcadwx.bat
F:\c.com
F:\2y8la.exe
F:\0qx0sc6.bat
F:\6g3.com
F:\j.cmd

Save this as
CFScript

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Re-run Kaspersky online scanner and post back its report (without forgetting above meantioned ComboFix resultant log).

rckwll · May 10, 2008

ComboFix 08-05-01.3 - Usuario 2008-05-09 20:52:34.3 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.801 [GMT -3:00]
Executando de: C:\Documents and Settings\Usuario\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Usuario\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
E:\0qx0sc6.bat
E:\2y8la.exe
E:\6g3.com
E:\c.com
E:\j.cmd
E:\lgcadwx.bat
F:\0qx0sc6.bat
F:\2y8la.exe
F:\6g3.com
F:\c.com
F:\j.cmd
F:\lgcadwx.bat
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\0qx0sc6.bat
E:\2y8la.exe
E:\6g3.com
E:\c.com
E:\j.cmd
E:\lgcadwx.bat
F:\0qx0sc6.bat
F:\2y8la.exe
F:\6g3.com
F:\c.com
F:\j.cmd
F:\lgcadwx.bat

.
((((((((((((((((((((((( Ficheiros criados de 2008-04-09 to 2008-05-09 ))))))))))))))))))))))))))))))))
.

2008-05-06 23:02 . 2008-05-06 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy
2008-05-06 23:02 . 2008-05-06 23:02 <DIR> d-------- C:\Arquivos de programas\Spybot - Search & Destroy
2008-05-06 12:23 . 2008-05-06 12:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-06 12:23 . 2008-05-06 12:23 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab
2008-05-02 14:29 . 2008-05-02 14:29 69,008 --ah----- C:\WINDOWS\system32\mlfcache.dat

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 16:55 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin
2008-05-06 17:04 --------- d-----w C:\Documents and Settings\Usuario\Dados de aplicativos\Skype
2008-05-04 15:31 --------- d-----w C:\Arquivos de programas\eMule
2008-05-03 23:12 --------- d-----w C:\Documents and Settings\Usuario\Dados de aplicativos\uTorrent
2008-05-03 17:03 --------- d-----w C:\Arquivos de programas\GbPlugin
2008-05-02 17:28 --------- d-----w C:\Arquivos de programas\Picasa2
2008-04-21 23:46 --------- d-----w C:\Arquivos de programas\Steam
2008-04-21 18:46 --------- d-----w C:\Arquivos de programas\Miranda IM
2008-04-18 17:03 --------- d-----w C:\Arquivos de programas\ScanSpyware v3.8.0.4
2008-04-15 23:40 --------- d-----w C:\Arquivos de programas\Java
2008-04-06 01:36 --------- d-----w C:\Arquivos de programas\Palm
2008-03-30 20:26 --------- d-----w C:\Arquivos de programas\MSN Messenger
2008-03-20 23:27 --------- d-----w C:\Arquivos de programas\Windows Live
2008-03-20 23:26 --------- dcsh--w C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller
2008-03-20 23:26 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\WLInstaller
2008-03-16 21:23 --------- d-----w C:\Arquivos de programas\Mobipocket.com
2008-03-16 21:23 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Mobipocket Shared
2008-02-28 02:44 98,304 ----a-w C:\WINDOWS\DUMP75db.tmp
2008-02-24 20:10 53,248 ----a-w C:\WINDOWS\PalmDevC.dll
2007-02-20 16:30 11,720 ----a-w C:\Arquivos de programas\uninstal.log
2002-12-11 17:17 13,366,265 --s-a-w C:\Arquivos de programas\Encore Manual.pdf
2004-08-04 03:45 73,728 -csha-w C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-08_19.29.40.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-08 22:21:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-09 23:51:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Arquivos de programas\DAEMON Tools\daemon.exe" [2006-11-12 07:48 157592]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-06-14 07:36 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2004-02-24 16:00 49152]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 15:37 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]
"Picasa Media Detector"="C:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe" [2007-10-23 18:18 443968]

C:\Documents and Settings\Usuario\Menu Iniciar\Programas\Inicializar\
Palm Registration.lnk - C:\Arquivos de programas\Palm\register.exe [2005-08-08 12:36:14 2494464]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
HOTSYNCSHORTCUTNAME.lnk - C:\Arquivos de programas\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= C:\Arquivos de programas\GbPlugin\gbiehcef.dll [2008-03-26 11:24 357952]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GBPLUGIN\gbieh.dll [2008-04-15 09:37 378696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
C:\ARQUIV~1\GBPLUGIN\gbieh.dll 2008-04-15 09:37 378696 C:\ARQUIV~1\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]
C:\Arquivos de programas\GbPlugin\gbiehcef.dll 2008-03-26 11:24 357952 C:\Arquivos de programas\GbPlugin\gbiehcef.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__GbPluginBb]
C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll 2008-04-15 09:37 378696 C:\Arquivos de programas\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:45 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 09:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 11:22 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Arquivos de programas\\Rockstar Games\\Midnight Club II\\mc2.exe"=
"C:\\Arquivos de programas\\eMule\\emule.exe"=
"C:\\Arquivos de programas\\CounterPath\\X-Lite\\x-lite.exe"=
"C:\\Doomsday\\Bin\\Doomsday.exe"=
"C:\\Program Files\\Neoact\\Carom3D\\update.exe"=
"C:\\downloads\\utorrent.exe"=
"C:\\Arquivos de programas\\Miranda IM\\miranda32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=
"C:\\Arquivos de programas\\X-Lite\\X-Lite.exe"=
"C:\\Arquivos de programas\\Steam\\steamapps\\vagnerlevy\\day of defeat\\hl.exe"=
"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23850:TCP"= 23850:TCP:*

isabled:BitComet 23850 TCP
"23850:UDP"= 23850:UDP:*

isabled:BitComet 23850 UDP
"16107:TCP"= 16107:TCP:*

isabled:BitComet 16107 TCP
"16107:UDP"= 16107:UDP:*

isabled:BitComet 16107 UDP
"17822:TCP"= 17822:TCP:*

isabled:BitComet 17822 TCP
"17822:UDP"= 17822:UDP:*

isabled:BitComet 17822 UDP
"9023:TCP"= 9023:TCP:*

isabled:BitComet 9023 TCP
"9023:UDP"= 9023:UDP:*

isabled:BitComet 9023 UDP
"11183:TCP"= 11183:TCP:*

isabled:BitComet 11183 TCP
"11183:UDP"= 11183:UDP:*

isabled:BitComet 11183 UDP
"23906:TCP"= 23906:TCP:*

isabled:BitComet 23906 TCP
"23906:UDP"= 23906:UDP:*

isabled:BitComet 23906 UDP
"23580:TCP"= 23580:TCP:*

isabled:BitComet 23580 TCP
"23580:UDP"= 23580:UDP:*

isabled:BitComet 23580 UDP
"43554:TCP"= 43554:TCP:43554
"43554:UDP"= 43554:UDP:43554

S0 d344bus;d344bus;C:\WINDOWS\system32\DRIVERS\d344bus.sys [2003-12-27 19:42]
S0 d344prt;d344prt;C:\WINDOWS\system32\Drivers\d344prt.sys [2003-12-27 01:38]
S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 15:31]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 15:35]
S3 PciCon;PciCon;D:\PciCon.sys []

.
Conteúdo da pasta 'Tarefas Agendadas'
"2008-05-09 23:12:06 C:\WINDOWS\Tasks\Verificar Atualizações para a Barra de Ferramentas do Windows Live.job"
- C:\Arquivos de programas\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 20:54:57
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Tempo para conclusão: 2008-05-09 21:00:42
ComboFix-quarantined-files.txt 2008-05-10 00:00:09
ComboFix2.txt 2008-05-09 17:07:10
ComboFix3.txt 2008-05-08 22:30:52

Pre-Run: 4,241,719,296 bytes disponíveis
Post-Run: 4,229,898,240 bytes disponíveis

181 --- E O F --- 2008-02-27 01:50:10

-----------------

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 09, 2008 11:16:44 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/05/2008
Kaspersky Anti-Virus database records: 750464
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 119896
Number of viruses found: 26
Number of infected objects: 188
Number of suspicious objects: 0
Duration of the scan process: 01:45:52

Infected Object Name / Virus Name / Last Action
C:\Arquivos de programas\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\log\aswAr.log Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\report\Proteção residente.txt Object is locked skipped
C:\Arquivos de programas\BrainWave Generator\BrainWave.exe Infected: Trojan.Win32.Agent.acw skipped
C:\Arquivos de programas\eMule\Incoming\Absolute.Fretboard.Trainer.3.x.kmaker.zip/Absolute.exe Infected: Trojan.Win32.Agent.acw skipped
C:\Arquivos de programas\eMule\Incoming\Absolute.Fretboard.Trainer.3.x.kmaker.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Histórico\History.IE5\MSHist012008050920080510\index.dat Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\~DFED24.tmp Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Temp\~DFED36.tmp Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Usuario\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Usuario\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Usuario\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Usuario\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\0qx0sc6.bat.vir Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\QooBox\Quarantine\C\2y8la.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\QooBox\Quarantine\C\6g3.com.vir Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
C:\QooBox\Quarantine\C\c.com.vir Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\QooBox\Quarantine\C\j.cmd.vir Infected: Trojan-PSW.Win32.OnLineGames.aecv skipped
C:\QooBox\Quarantine\C\lgcadwx.bat.vir Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kavo.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.aecv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kavo0.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.aeaf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kavo1.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.aeaf skipped
C:\QooBox\Quarantine\E\0qx0sc6.bat.vir Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\QooBox\Quarantine\E\2y8la.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\QooBox\Quarantine\E\6g3.com.vir Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
C:\QooBox\Quarantine\E\c.com.vir Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\QooBox\Quarantine\E\j.cmd.vir Infected: Trojan-PSW.Win32.OnLineGames.aecv skipped
C:\QooBox\Quarantine\E\lgcadwx.bat.vir Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
C:\QooBox\Quarantine\F\0qx0sc6.bat.vir Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\QooBox\Quarantine\F\2y8la.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\QooBox\Quarantine\F\6g3.com.vir Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
C:\QooBox\Quarantine\F\c.com.vir Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\QooBox\Quarantine\F\j.cmd.vir Infected: Trojan-PSW.Win32.OnLineGames.aecv skipped
C:\QooBox\Quarantine\F\lgcadwx.bat.vir Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071696.dll Infected: Trojan-PSW.Win32.OnLineGames.aazm skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071698.inf Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071815.dll Infected: Trojan-PSW.Win32.OnLineGames.aaxw skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071816.dll Infected: Trojan-PSW.Win32.OnLineGames.acwh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071818.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071826.exe Infected: Trojan-PSW.Win32.OnLineGames.aayb skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071831.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071873.dll Infected: Trojan-PSW.Win32.OnLineGames.aaxw skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071875.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071883.exe Infected: Trojan-PSW.Win32.OnLineGames.aayb skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071925.dll Infected: Trojan-PSW.Win32.OnLineGames.aaxw skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071927.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071943.dll Infected: Trojan-PSW.Win32.OnLineGames.aaxw skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071944.dll Infected: Trojan-PSW.Win32.OnLineGames.acwh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071946.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071954.exe Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072008.dll Infected: Trojan-PSW.Win32.OnLineGames.acwh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072010.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072011.inf Infected: Trojan-PSW.Win32.OnLineGames.abes skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083814.exe Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083815.dll Infected: Trojan-PSW.Win32.OnLineGames.aaxw skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083816.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083823.exe Infected: Trojan-PSW.Win32.OnLineGames.aayb skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083824.dll Infected: Trojan-PSW.Win32.OnLineGames.acwh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083835.dll Infected: Trojan-PSW.Win32.OnLineGames.adeb skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083838.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083846.exe Infected: Trojan-PSW.Win32.OnLineGames.adec skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083847.dll Infected: Trojan-PSW.Win32.OnLineGames.abal skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083859.dll Infected: Trojan-PSW.Win32.OnLineGames.adeh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083862.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083870.exe Infected: Trojan-PSW.Win32.OnLineGames.adec skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083871.dll Infected: Trojan-PSW.Win32.OnLineGames.adeb skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083914.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083932.dll Infected: Trojan-PSW.Win32.OnLineGames.adeh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083935.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083958.dll Infected: Trojan-PSW.Win32.OnLineGames.adnr skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083959.dll Infected: Trojan-PSW.Win32.OnLineGames.adeh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083962.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0083979.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084035.dll Infected: Trojan-PSW.Win32.OnLineGames.adeh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084036.dll Infected: Trojan-PSW.Win32.OnLineGames.adnr skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084040.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084045.exe Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084046.dll Infected: Trojan-PSW.Win32.OnLineGames.adeh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084055.dll Infected: Trojan-PSW.Win32.OnLineGames.adnr skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084058.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084065.dll Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084083.dll Infected: Trojan-PSW.Win32.OnLineGames.adnr skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084085.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084094.exe Infected: Trojan.Win32.Vaklik.agh skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084095.dll Infected: Trojan-PSW.Win32.OnLineGames.adnr skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP541\A0084103.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0084118.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0085086.dll Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0085090.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0085097.exe Infected: Trojan-PSW.Win32.OnLineGames.adtz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0085099.exe Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0085100.dll Infected: Trojan-PSW.Win32.OnLineGames.aeep skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0085102.com Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0086086.dll Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0086089.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0086101.exe Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0086102.dll Infected: Trojan-PSW.Win32.OnLineGames.aeep skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0086103.exe Infected: Trojan-PSW.Win32.OnLineGames.adtz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0087086.dll Infected: Trojan-PSW.Win32.OnLineGames.aeep skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0087090.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0087098.exe Infected: Trojan-PSW.Win32.OnLineGames.adtz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0087099.dll Infected: Trojan-PSW.Win32.OnLineGames.aeep skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088087.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088107.dll Infected: Trojan-PSW.Win32.OnLineGames.aeep skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088110.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088118.exe Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088119.exe Infected: Trojan-PSW.Win32.OnLineGames.adtz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088121.dll Infected: Trojan-PSW.Win32.OnLineGames.aeep skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088135.cmd Infected: Trojan-PSW.Win32.OnLineGames.aecv skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088181.exe Infected: Trojan-PSW.Win32.OnLineGames.aecv skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088182.dll Infected: Trojan-PSW.Win32.OnLineGames.aeaf skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088183.dll Infected: Trojan-PSW.Win32.OnLineGames.aeaf skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089297.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089298.exe Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089299.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089300.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089301.cmd Infected: Trojan-PSW.Win32.OnLineGames.aecv skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089302.bat Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
C:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_62c.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071699.inf Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071820.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071833.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071877.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071929.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071948.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072012.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072013.inf Infected: Trojan-PSW.Win32.OnLineGames.abes skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083818.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083840.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083864.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083916.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083937.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083964.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0083981.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084041.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084060.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084087.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP541\A0084105.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0084120.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0085092.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0085103.com Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0086091.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0087092.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088089.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088112.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088137.cmd Infected: Trojan-PSW.Win32.OnLineGames.aecv skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089375.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089376.exe Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089377.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089378.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089379.cmd Infected: Trojan-PSW.Win32.OnLineGames.aecv skipped
E:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089380.bat Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
F:\System Volume Information\_restore{CF3380D7-62D1-4B19-96F4-B29436459BC0}\RP300\A0054954.dll Infected: not-a-virus:AdWare.Win32.WinAD.am skipped
F:\System Volume Information\_restore{CF3380D7-62D1-4B19-96F4-B29436459BC0}\RP300\A0054955.exe/ci-temp0.cab/Sp0.exe Infected: Trojan-Spy.Win32.Outside.12 skipped
F:\System Volume Information\_restore{CF3380D7-62D1-4B19-96F4-B29436459BC0}\RP300\A0054955.exe/ci-temp0.cab Infected: Trojan-Spy.Win32.Outside.12 skipped
F:\System Volume Information\_restore{CF3380D7-62D1-4B19-96F4-B29436459BC0}\RP300\A0054955.exe CreateInstall: infected - 2 skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071700.inf Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP525\A0071822.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071835.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071879.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071931.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0071950.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072014.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP526\A0072015.inf Infected: Trojan-PSW.Win32.OnLineGames.abes skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP527\A0073108.exe Infected: Trojan-Spy.Win32.Outside.12 skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083820.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083842.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP538\A0083866.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083918.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083939.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP539\A0083966.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0083983.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084043.bat Infected: Trojan-PSW.Win32.OnLineGames.adei skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084062.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP540\A0084089.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP541\A0084107.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0084122.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0085094.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0085104.com Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0086093.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0087095.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088091.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088114.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP542\A0088140.cmd Infected: Trojan-PSW.Win32.OnLineGames.aecv skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089381.bat Infected: Trojan-PSW.Win32.OnLineGames.adsy skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089382.exe Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089383.com Infected: Trojan-PSW.Win32.OnLineGames.aeai skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089384.com Infected: Trojan-PSW.Win32.OnLineGames.aaxz skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089385.cmd Infected: Trojan-PSW.Win32.OnLineGames.aecv skipped
F:\System Volume Information\_restore{85F572D8-1212-4939-A61B-7A9E43480252}\RP544\A0089386.bat Infected: Trojan-PSW.Win32.OnLineGames.zta skipped
F:\ProgrAmAs\vnc-4.0-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
F:\ProgrAmAs\vnc-4.0-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
F:\ProgrAmAs\vnc-4.0-x86_win32.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
F:\ProgrAmAs\vnc-4.0-x86_win32.exe Inno: infected - 3 skipped
F:\mirc6\miRC 6\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
F:\mirc6\outd\mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.59 skipped
F:\mirc6\outd\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
F:\mirc6\outd.zip/mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.59 skipped
F:\mirc6\outd.zip ZIP: infected - 1 skipped

Scan process completed.

Blade81 · May 10, 2008

Hi

Bad findings are in system restore and Qoobox folder. Instructions below for resetting system restore and uninstalling ComboFix will take care of those findings.

Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.

THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Download Adaware
Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial
The program is available for download here
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here
You can download SpywareBlaster here here
SpywareBlaster tutorial
Download iespyad
It puts many bad webpages on your restricted zones list. This means that you can still view the
bad
webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
If you need help understanding how it works, there is a tutorial here
Download it here
hosts file:
- Every version of windows has a hosts file as part of them.
- In a very basic sense, they are used to locate webpages.
- We can customize a hosts file so that it blocks certain webpages.
- However, it can slow down certain computers.
- This is why using a hosts file is optional!!
Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
See here to choose one

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade

rckwll · May 10, 2008

Thank you very much! The strange thing is that my avast has been updated aways, and detected nothing..

Once again, thank you, I knew I could count on you people from spybot.

Blade81 · May 10, 2008

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Malware.. kavo, tavo..

rckwll

New member

Blade81

Security Expert: Emeritus

rckwll

New member

Blade81

Security Expert: Emeritus

rckwll

New member

Blade81

Security Expert: Emeritus

rckwll

New member

Blade81

Security Expert: Emeritus

rckwll

New member

Blade81

Security Expert: Emeritus

rckwll

New member

Blade81

Security Expert: Emeritus